pim: random fuzzing fixes

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/pimd/pim_neighbor.c b/pimd/pim_neighbor.c
index 571173c62a2478e5cbddacca7e4b15351aa5d292..b2dfc309da97f00f0f816ed7416e712865994250 100644 (file)
--- a/pimd/pim_neighbor.c
+++ b/pimd/pim_neighbor.c
@@ -626,15 +626,15 @@ void pim_neighbor_delete(struct interface *ifp, struct pim_neighbor *neigh,
        if (!PIM_OPTION_IS_SET(neigh->hello_options,
                               PIM_OPTION_MASK_LAN_PRUNE_DELAY)) {
                /* update num. of neighbors without hello option lan_delay */
-
-               --pim_ifp->pim_number_of_nonlandelay_neighbors;
+               pim_ifp->pim_number_of_nonlandelay_neighbors = MAX(
+                       pim_ifp->pim_number_of_nonlandelay_neighbors - 1, 0);
        }
 
        if (!PIM_OPTION_IS_SET(neigh->hello_options,
                               PIM_OPTION_MASK_DR_PRIORITY)) {
                /* update num. of neighbors without dr_pri */
-
-               --pim_ifp->pim_dr_num_nondrpri_neighbors;
+               pim_ifp->pim_dr_num_nondrpri_neighbors =
+                       MAX(pim_ifp->pim_dr_num_nondrpri_neighbors - 1, 0);
        }
 
        assert(neigh->propagation_delay_msec

diff --git a/pimd/pim_register.c b/pimd/pim_register.c
index e2538da36f35face5d0d3101369b420da86b1f12..8047a93a718785967201b228c38fc89a26ef4ad0 100644 (file)
--- a/pimd/pim_register.c
+++ b/pimd/pim_register.c
@@ -325,6 +325,11 @@ int pim_register_recv(struct interface *ifp, struct in_addr dest_addr,
        struct pim_instance *pim = pim_ifp->pim;
 
 #define PIM_MSG_REGISTER_BIT_RESERVED_LEN 4
+
+       if (tlv_buf_size
+           < (int)(PIM_MSG_REGISTER_BIT_RESERVED_LEN + sizeof(struct ip))) {
+               return 0;
+       }
        ip_hdr = (struct ip *)(tlv_buf + PIM_MSG_REGISTER_BIT_RESERVED_LEN);
 
        if (!pim_rp_check_is_my_ip_address(pim, dest_addr)) {